HTTP Basic Authentication

HTTP Basic Authentication explained using tomcat as an example

Use case with tomcat with basic authentication.

Most of  you might have used tomcat and tried look at the list of deployed web applications in it . When user clicks on  managed web apps link, a pop up challenge appears in the browser for username and password. User enter credentials and gets the list of deployed apps. 
                                                                                                                                  (Refer appendix A for username password details).

Tomcat challenging for credentials

Few questions this post try to answer.
  1. How does the browser throw a pop up challenge, when a protected page is accessed.
  2. How are user name and password transferred from browser to tomcat server.

  1. Tomcat basic authentication flow
  2. Basic authentication HTTP headers
Tomcat basic authentication flow

 Scenario: Lets see the flow between user browser and tomcat server, when a user trying to access a protected page on tomcat server.

Image description: On the left side is a user browser and right side is tomcat server.
basic authentication flow using tomcat

Note: /manager/html is a protected resource in tomcat.

Step 1: (From User Browser To Tomcat Server)
  1. User tries to access a protected page on tomcat. .i.e, (manager/html)
  2. HTTP method used here would be a 'GET' method
  3. A request would contain address of tomcat server as hostname header. please see below http headers that flow during transaction.

Sample http header with Step 1 request and Step 2 response

Step 2: (From Tomcat Server to User Browser)
  1.  As accessed URI ( /manager/html) is protected resources on tomcat, tomcat would check for  credentials along with request.
  2.  No credentials are present with the request, tomcat won't allow the user access the page, instead throws a challenge.
  3. Tomcat needs to challenge the user for credentials. Tomcat should make browser to throw a pop up for credentials as shown in figure 1.
    1. Tomcat will send a HTTP response code 401 to browser. By sending a 401 response code, browser would understand, the request it made was an unauthorized request, browser needs to throw a basic authentication popup for credentials.
    2. Tomcat would additional sends http header  "WWW-Authenticate" with realm name and basic word.
                          WWW-Authenticate: Basic realm="Tomcat Manager Application"
WWW-Authenticate:  Basic. mean tomcat is expecting  credentials in basic authentication format
realm="Tomcat Manager Application" means, then browser throws a pop up, the pop must use "Tomcat ManagerApplication" as name in the popup challenge. please check  figure 1 for details. its a realm name.

Step 3(From User Browser To Tomcat Server)
  1. User would enter the username and password in the pop up challenge.
  2. Browser would  append  username and password with semi colon and would do  a base 64 encoding of the appended string.
      Example : tomcat:s3cret     (username:password)
                            base 64 encoding of username:password would yield
                           (tomcat:s3cret)  base64  value will be  'dG9tY2F0OnMzY3JldA=='
     3. Authorization header "Authorization: Basic"  with base 64 is passed to the server. Basic word in the Authorization header means that  browser is sending the credentials in basic authentication format

Sample HTTP header with Step 3 request and Step 4 response
Step 4:(From Tomcat Server to User Browser)
  1. Tomcat server application would receive the request and check for Authorization header.
  2.  web application would decode the base 64 value of Authorization
  3. Validates the user name and password internally. And allow the actual page.

Basic authentication HTTP headers:

Security headers in basic authentication are 'WWW-authenticate' and 'authorization'.

www-authenticate is a response header. Server receives a request for an accessing a protected page and an acceptable Authorization header is not sent, the server responds with a "401 Unauthorized" status code, and a WWW-Authenticate header.
WWW-Authenticate: <Auth-type> realm="<Custom name for the realm>" 
Custom name for the realm is displayed during challenge.
ex:                          WWW-Authenticate: Basic realm="Tomcat Manager Application".

Authorization Header:

When user wants to send credentials to the server, authorization header is used. It’s a request header and it would look like Authorization: Basic <base 64 encoded credentials>

ex:                                 Authorization: Basic  dG9tY2F0OnMzY3JldA== 

Answers to the questions:

  • How does the browser through a pop up challenge, when page is accessed.
Answer: On accessing a protected page without valid credentials, Server sends a HTTP response code 401, to the browser.  This way browser throws a pop up challenge
  • How are user name and password transmitted from browser to tomcat?
 Answer: User credentials are converted to base 64 format  and are send to server in the HTTP  Authorization request header

Good to know facts:
Appendix A:

Default username and password would be tomcat and s3cret respectively,  provided below lines present in conf\tomcat-users.xml

 <role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>

Appendix B:

Base 64: MIME's Base64 implementation uses AZ, az, and 09 for the first 62 values. 3 octets into 4 encoded characters. Below table is used for encoded values.

Final word..
Thanks to my friends for their support:).


Lets try explaining whats Authentication in Information security domain.

Authentication is about Identity Validation. Its a process to determine whether the user or entity is who he claims to be. Typical example of Authentication is login credentials entered as part of login to any site or portal.

Authentication can be classified into following three types.

1. Something you know
2. Something you have
3. Something you are

1. Something you Know.
Its Knowledge based Authentication. Typical Example is User-name/Password that we use every day to log-in to any site. This is most widely used technique
Remember user name and password

Password, PIN Numbers.

Advantages :
1. Simple Mechanism and Easy to implement             

forgot password

1. People tend to forgot passwords.

2. Easy to crack. Attack like brute force attack,  dictionary attack are common

"A password that is easy to remember is generally also easy for an attacker to guess".

Prevention Mechanism:
CAPTCHA, Forced lock out after number of failure attempts.
On Time Password are certain mechanism that help prevent the above mentioned attacks

2. Something you have.
Its Ownership based Authentication. Its based on something a principal or authenticating entity as it.
An access card swiped at the entry and exit of door, could you be use case for  entity based authentication.
access card swiping at entrance
An attacker must obtain or copy the token in order to break this kind of authentication.

1. Magnetic Strip Cards. ( Credit Cards/ATM Cards)
2. Smart Cards (Challenge/Response cards and Cryptographic Calculators.)

3. Something you are.

Its based on physiological or behavioral characteristics to verify the identity of an individual.
Finger print, Bio metric authentication
Every individual has unique biometric data and individual’s behavioral or physiological characteristics have the capability to reliably distinguish between authorized and unauthorized person.

1.  Biometrics includes fingerprints, retina scan, voice, facial ,hand geometry, and so on

Hardest to break.

Cost and availability
High false acceptance rate for devices

Application of principle:
All this above principle can be used in single or combination of two or all. When above factors are used in a combination, authentication becomes difficult to break.

Mutli-Factor Authentication:
ATM Card would be simple example for it, it uses a combination of "Something you have" (ATM Card) and " Something you know"( PIN Number). Even if the card is lost, PIN number is required to prove authentication.